Information choice and security via a decoupled router with an always listening assistant device

ABSTRACT

An always-listening-capable first computing device decoupled from a second computing device, comprising an electronic sensor and gate-keeping module. All data received by the communications module based on data from the electronic sensor passes through the gatekeeping module while a gatekeeping function is disabled, no data based on data from the electronic sensor passes through the communications module while the gatekeeping function is enabled, all data input to the gatekeeping module is received via an exclusive input lead from the electronic sensor, and all data output from the gatekeeping module is transmitted via an exclusive output lead to a component other than the electronic sensor. The first computing device retrieves responses to user input from a server different from a server that the second computing device would have retrieved data from but for prevented communication between the second computing device and the second server.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of co-pending U.S. patentapplication Ser. No. 16/010,725, filed Jun. 18, 2018, titled “SECURE ANDPRIVATE PROCESSING OF GESTURES VIA VIDEO INPUT,” which itself is acontinuation-in-part of U.S. patent application Ser. No. 15/812,679,filed Nov. 14, 2017, titled “INFORMATION SECURITY/PRIVACY IN AN ALWAYSLISTENING ASSISTANT DEVICE,” and granted as U.S. Pat. No. 10,002,259 onJun. 19, 2018, each of which is hereby incorporated by reference in itsentirety.

FIELD OF INVENTION

This application relates to methods and systems for security and privacyof user input, including audible speech or visible gesture input, andperforming an assistive response to the user input via an“always-listening” medium.

BACKGROUND

Many devices or software solutions are currently marketed to consumersas “always listening,” including Amazon Echo® (a.k.a. Alexa™), GoogleHome™, Apple HomePod™ and Siri® on Apple® devices. However, thesedevices are configured to always listen for their respective “wake up”words, upon receipt of which the devices will only continue to recordadditional speech for a period of time (e.g., a single complete command,string or query proceeding their wake up words, ending with a pause).These wake up words let the devices know when a command or query isdirected to these devices such that the immediate proceeding speech datais captured and processed; and no other speech data is intended to berecorded or sent to the cloud in any way, shape or form, in order tosafeguard the security and protect privacy of audible data spoken byusers.

The current “always listening” devices would more appropriately betermed “always listening for a wake up word,” and are, in fact, inactiveand dormant in response to most speech, rather than “always” analyzingand determining a response to received speech and commands.

Further, these devices only respond by complying with a single commandor responding to a single query; they are unable to comply orintuitively follow a series of commands or queries due to thelimitations of the current systems and methods of “listening.”

Current market-available solutions for protecting data use a physicalbutton on the surface of the device to provide users complete controlover the microphone and whether these devices can listen at all.Requiring a manual button to ensure enabling and disabling themicrophone is inconvenient when consumers expect voice-only control, andis not a satisfactory solution. Device manufacturers primarily offer itfor the users' peace of mind.

Some systems control “always listening” status by software means, whichare always at risk of external digital intruders hacking in and stealingaudible or speech data from the microphone.

Consumers are unlikely to trust that these devices and securityprotocols will completely protect their privacy, especially if there isno direct speech control provided over the “always listening” function.

The current methods of using “wake up” words and security softwareprotocols are time and labor intensive to constantly develop, maintain,and improve—while still failing to achieve guaranteed security of mutingthe device when a user so desires.

Most current technological focus has been emphasized on improving themechanics or the “how-to's” of detecting audible speech, improvingaccuracy and offering “faster responses”—where the latter has beenfocused on pre-defining rules and programs to respond to queries orpre-analyzing past behaviors which is extremely limited given the vastpossible variety of queries and commands or desired assistance thatmillions of users would have, each more than likely to be unique.

Device makers and other advertisers compete to balance delivering themost desired assistance at the most applicable timing, with the mostsubject relevancy, based on user need and receptiveness, while beingperceived by the user as non-intrusive and non-disruptive.

SUMMARY OF THE INVENTION

An always-listening-capable first computing device decoupled from asecond computing device having a communication module and in a samecomputing network is disclosed, comprising a first electronic sensor, agate-keeping module implemented by a processor, and non-transitorymemory. The first electronic sensor is configured to record user inputcomprising an utterance or gesture. All data received by thecommunications module based on data from the first electronic sensorpasses through the gate-keeping module while a gatekeeping function isdisabled, no data based on data from the first electronic sensor passesthrough the communications module while the gatekeeping function isenabled, all data input to the gate-keeping module is received via anexclusive input lead from the first electronic sensor, and all dataoutput from the gate-keeping module is transmitted via an exclusiveoutput lead to a component other than the first electronic sensor. Thenon-transitory memory storing instructions that, when executed by aprocessor, causes the processor to: determine that user input recordedby the first electronic sensor comprises a first input content; andretrieve a response to the user input from a first server different froma second server that the second computing device would have retrieveddata from but for the first computing device preventing an electroniccommunication being sent from the second computing device to the secondserver.

A method of providing information security in a second computing devicehaving a communication module, via an always-listening-capable firstcomputing device decoupled from the second computing device and in asame computing network, is also disclosed, comprising determining thatuser input comprising an utterance or gesture and recorded by a firstelectronic sensor of the first computing device comprises a first inputcontent; and retrieving a response to the user input from a first serverdifferent from a second server that the second computing device wouldhave retrieved data from but for the first computing device preventingan electronic communication being sent from the second computing deviceto the second server. The first computing device comprises agate-keeping module implemented by a processor, wherein all datareceived by the communications module based on data from the firstelectronic sensor passes through the gate-keeping module while agatekeeping function is disabled, wherein no data based on data from thefirst electronic sensor passes through the communications module whilethe gatekeeping function is enabled, wherein all data input to thegate-keeping module is received via an exclusive input lead from thefirst electronic sensor, and wherein all data output from thegate-keeping module is transmitted via an exclusive output lead to acomponent other than the first electronic sensor.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts software controls in the prior art for the purpose ofmuting the function for “always listening” for the wake up words “HeySiri” on an Apple® iPhone®;

FIG. 2 depicts software controls in the prior art for the purpose ofmuting the function for “always listening” for the wake up words “OkGoogle” on an Android® OS device;

FIG. 3 depicts software controls in the prior art for the purpose ofmuting the microphone on a Windows® 10 OS;

FIG. 4 depicts third party software's prior art functionality forsetting a wake up word to command the software to begin dictation;

FIG. 5 depicts, in simplified form, the conventional relationship ofcomponents within a prior art personal digital assistant;

FIG. 6 depicts, in simplified form, an embodiment of an “alwayslistening”-capable electronic device;

FIG. 7 depicts, in simplified form, an alternative embodiment of an“always listening”-capable electronic device;

FIG. 8 depicts, in simplified form, an alternative embodiment of an“always listening”-capable electronic device;

FIG. 9 depicts a flow chart of an illustrative method of processing asecond, distinct wake up word;

FIG. 10 depicts an alternative flowchart of program logic for additionalfeatures of an always-listening device;

FIG. 11 depicts a decoupled gatekeeping accessory that may be attachedto an existing listening device to provide secure, always-listeningfunctionality;

FIGS. 12A, 12B, and 12C depict a decoupled soundproofing or otherwiseinsulating barrier for assisting in providing secure always-listeningfunctionality; and

FIG. 13 depicts a system including a decoupled network device forproviding secure, always-listening functionality while selectivelydetouring a portion of a user's generated network traffic to analternate destination.

DETAILED DESCRIPTION

An improved method, apparatus and system for protecting audible data aredisclosed herein, including a microphone or camera (herein referenced as“receiver”) incapable of receiving electrical signals from sourcesexternal to the device (but remaining capable of transmitting electricalsignals and data), and may be one or more independent processor(s)incapable of receiving external electrical signals (while capable ofreceiving data) or gate keeping module embedded on a bi-directionalprocessor where the gate keeping module resides where the gate keepingmodule is incapable of receiving external electrical signals (remainingcapable of transmitting electrical signal and receiving data from areceiver), where the gate keeping module or independent processor(incapable of receiving external electrical signals) may act as alocalized preprocessor to preprocess a user's voice command prior toenable or disable truly “always listening” of the electronic device.Localized, unhackable control to turn on and off true always-listeningvia voice command are thus provided. This preprocessor or preprocessing(or gate keeping) function may be capable of directly relaying audibledata to a wireless communication module, or to the primary processor toperform other processing functions such as end-to-end encryption beforerelaying the then encrypted audible data to a wireless communicationmodule; which then may connect to a remote computer (e.g., cloud serversor computing platforms). In essence, the preprocessor/gate keepingmodule acts as the unhackable “valve” of one-way communication thatfeeds received data from the receiver to the primary processor orwireless communications component.

The methods described herein utilize a localized preprocessor orpreprocessing function on a processor that is incapable of receivingexternal electrical signals, isolating the “always listening” functionand control to a local user, where the control of the gate keepingmodule is literally without outside data access and thus not susceptibleto hacking.

FIGS. 1-4 depict various software controls in the prior art forcontrolling the listening and response of a digital personal assistantdevice. For example, interface 10 of FIG. 1 shows a toggle 11 forallowing the wake up words “Hey Siri” to trigger listening without aphysical interaction with the device. Similarly, FIG. 2 displays anAndroid® interface 20 allowing the words “OK Google” to triggerlistening. FIG. 3 displays an interface 30 in a Windows® operatingsystem with a button 31 for disabling microphone input to the system.Finally, FIG. 4 displays an interface 40 in third party software“Dragon® Dictation” for controlling dictation generally, in tab 41 andsetting a particular wake up phrase 42 to trigger recording and action.

FIG. 5 depicts, in simplified form, the conventional relationship ofcomponents within a prior art personal digital assistant. A user maypress a button 100 to physically disable (mute) the microphone 101 from“always listening for a wake up” word. Under normal operating conditions(unmuted), microphone 101 passively listens for a wake up word(s) todetect, and once detected, will record a speech string, query or commandimmediately following the precursor wake up words to be sent to theprocessor and/or wireless I/O component 103. Once the string is receivedby the processor or wireless I/O component 103, the singular string isin most cases transmitted to a cloud server 104, or processed locally ifthe processor stores a set of preprogrammed executable instructions suchas, for example, “turn off <name of> light.” The processor/alwayslistening device then returns to passively listening for the precursorwake up word(s). If the string is transmitted rather than processedlocally, the cloud server 104 processes the string, query or command,and returns a response to the first processor/through the Wireless I/Ocomponent 103. The response is then processed to actually comply with acommand, or play an audible response through the speakers 105.

FIG. 6 depicts, in simplified form, an embodiment of a truly “alwayslistening”-capable electronic device. The device could alternatively bedescribed in other embodiments as “always receiving,” “always watching,”“always recording,” “always transmitting,” and/or any other method ofsensing and recording input from sensors, whether those sensors aremicrophones, cameras, or other electronic devices capable of capturinginformation about the environment.

Microphone (or camera or other receiver) 200 may be configured to alwaysbe listening (or recording, or monitoring sensory feeds other than audioinput) for potential instructions from a user, including, but notlimited to, activating an always listening mode, deactivating an alwayslistening mode, activating or deactivating features of an underlyingdigital personal assistant system, or providing digital personalassistant services such as responding to verbal queries. Recorded audio,video, or other data may be transmitted from receiver 200 to apreprocessor and/or a gate keeping module 201.

In some embodiments, the device may comprise two or more distinctreceivers. The first receiver 200 may be powered on and monitoring foruser input so long as the device is powered, but may have no data leadsto the device's communications module 202, and thus may be preventedfrom communication with remote servers or other outside devices. Dataoutput from the first receiver may be sent only to a processor withlimited language processing ability and/or a gatekeeping module 201. Thesecond receiver 206 may normally be powered down or cut off from datatransmission, with power being restored or data transmissionfunctionality being restored only when permitted by the gatekeepingmodule 201.

The gate keeping module 201 may control or restrict the means of inbound(including but not limited to authorized and unauthorized electricalsignals) or outbound data (audio, video, speech, gesture, or other data)at a critical path, component or function of the electronic device.Alternatively, the gate keeping module 201 may permit or deny power frompower source 205 (which may be, for example, a battery or a connectionto A/C power) to particular components of the device, including (but notlimited to) a microphone, processor, and/or communications module (e.g.,Wi-Fi, ZigBee, Bluetooth, Near Field Communication (NFC), cellular phoneconnection, etc.). In some embodiments, the various components arealways directly connected to power source 205 (indicated by solid linesin the figure) while others may be either directly connected orconnected through the gatekeeping module 201 (indicated by dashed linesin the figure).

The gate keeping module 201 may be implemented as an integrated circuit,a chip on a motherboard, or any other form of hardware solution.Alternatively, the gate keeping module 201 may take on the embodiment ofsecurity programming or protocols that are stored on non-transientmemories, such as (but not limited to) EPROM (a memory that can only beerased locally and physically by shining a UV light onto the adesigned/designated area on the memory chip and cannot be reprogrammedremotely). It should be understood that a person of ordinary skill inthe art would be able to apply the gate keeping method as describedherein in any number of alternative hardware and/or softwareembodiments.

The programming/protocols may have a function to limit inboundelectrical signals received to a preset size or period of time or basedon the most recent activity (e.g., sending a request to a server to loada webpage might permit an electronic device to receive data for a periodtime or until the webpage is loaded, but when there is no recent datarequest within a preset period of time, the gate keeping module withinthe EPROM may prevent additional data to be received by the electronicdevice through the wireless receiver) to prevent the electronic devicefrom being hacked.

Alternatively, a gate keeping module may be set to “block (or limit)continuous audio transmissions on wireless transmitter,” if a gatekeeping module-processor does not have local input permissions from auser to continuously transmit.

The gate keeping module may be set to permit microbursts of inbound dataduring time intervals (e.g., anywhere from picoseconds, to seconds, tominutes) to enable an expected stream of data to be downloaded by thedevice, to allow checking for push notifications, and to allow receptionof responses by a server configured to process user data, but makedifficult or impossible a continuous connection needed to gainunauthorized access or “hack” a security loophole, upload maliciousdata, or perform a denial of service attack. The length of theintervals, or the length of periods of disabled communication betweenthe intervals, may be selected randomly or at fixed intervals (such as,for example, disabling communication for one millisecond every twentymilliseconds, or for one randomly chosen millisecond out of everysecond). The length of intervals may also be related as a proportion(such as, for example, inbound data being allowed for five times aslong, twenty times as long, or any other multiplier of time compared tothe interval of time that inbound data is disabled.

The gate keeping module may be designed to allow incoming dataconnections to the function itself only locally by physical, wired meansor by more limited-range wireless means such as (but not limited to)Bluetooth, NFC, etc. The function may be secured by one or more of apassword, digital fingerprint (such as a cookie or token) required on amodifying device, or by software requiring physical identification orverification of a user's identity by a user's personal electronic device(e.g., an app on a smartphone or other mobile device) before allowingmodification of the function's software. This method of allowing somedegree of programming or reprogramming the gate keeping module wouldallow for beneficial security protocols and updates, not necessarily for“intrusion prevention” but also for “transit” related security andcustomization. For example, a gate keeping module might be programmed toconnect to another cloud computing platform other than one designatedand hardcoded by the original manufacturer (e.g., Alexa™/Echo® may bereconfigured to connect to a Microsoft® platform by identifying a new IPaddresses to which audible speech is permitted to be sent).

The gate keeping module may also be programmed and/or updated regularlyby predetermined software, such as (but not limited to) a smartphone“app.” In some embodiments, the device may be reprogrammed to use a VPN(Virtual Private Network) to relay the audible speech or gesture data toa server processor in the cloud. Alternatively, the device may beprogrammed to select from among a set of possible IP addresses, based onload-balancing or traffic-balancing considerations. A security featuremay be added to have a two-point verification of encryption and/ormalicious code passing as or through as audible data or gesture datauploaded.

Alternatively, a gate keeping module or processor may be programmed toforward received data to a local preprocessor. For example, receivedspeech or gesture data could be forwarded to a local server 207 on thesame wireless network as the device, or to a smartphone app, instead ofto a remote server. In this way, information privacy and security can beensured, and may also allow operation in some capacity even if thewireless network's connection to the greater internet is lost.

In another embodiment, a digital personal assistant may comprise aplurality of processors where the wireless communication component islimited to receive externally-originated inbound data and transmittingthe inbound signal to a first processor only, the first processor beingunable to transmit signal to the wireless component and only able totransmit signals to a display or speaker. Further, the wirelesscommunication component may be limited to only receive outbound(received input) data from a second processor (received from one or morereceivers) to transmit to a remote computing device; thus, rendering thereceivers unable to be overridden by digital intruders.

Purely local processing of speech and gesture data may enable moresecure applications related to security and privacy. For example, if ahome security system is controlled by speech, gestures, facialrecognition, or other video or audio inputs that require processing,local processing may be preferred to remote processing that might allowa remote hacker to disable the house's security. A private and secure“walkie talkie” or other communication function may be added to operateoff the local network and allow communication between multiple deviceson the local network.

In some embodiments, the preprocessor 201 may be programmed to allowcontinuous transmission of all audio or video data received by thereceiver by default, and only enforce restrictions on the datatransmission in response to particular user inputs.

In another embodiment of the preprocessor(s) and its function, thepreprocessor 201 may contain a localized Natural Language Processing(NLP) programming embedded in a non-transient memory tasked withpre-parsing continuous strings of received input by the user into anindividually most-comprehensible sub-string.

For example, a user may prefer to make a series of commands withoutpause, the always listening device and/or its cloud computing unit mightnot be able to decipher a complex series of commands such as: “Playclassical music on Pandora® set volume to four stop playing in one hourturn off bedroom lights set alarm seven A.M.” However, utilizing thepreprocessor 201 comprised of a pre-parsing NLP may allow analysis andtransformation of the string into five individual commands beforetransmitting to the cloud computing unit:

-   -   “Play classical music on Pandora®,”    -   “Set volume to 4,”    -   “Stop playing in 1 hour,”    -   “Turn off bedroom lights,” and    -   “Set alarm 7 A.M.”

In response, the cloud computing server 203 may be able to respondrespectively in sequence, as normal to its original function and/orcontinuously:

-   -   “Playing classical music on Pandora®.”    -   (Silently actualize change in setting—i.e., Amazon® Alexa™ does        not provide audible feedback on changing volume)    -   “I will stop playing in 1 hour.”    -   (Actualize the change in setting) “Okay.”    -   “Alarm set for 7 AM.”

The pre-parsing of a string may be accomplished at the remote cloudcomputing unit 203 as well; or in any other configuration where it isaccomplished before being introduced to the actual NLP or ASR (AutomatedSpeech Recognition).

In another embodiment, the gate keeping module and/or its associatedhardware may be independent, in a device separate from an “alwayslistening” electronic device.

The gate keeping module 201 may comprise Natural Language Processing(NLP) to locally process input from a user.

In FIG. 6, the arrows depict directional flow of data transmissions,both wireless and wired, within the electronic device. As shown, thepreprocessor and/or gate keeping module 201 is restricted tosingle-direction, outbound transmissions. The gatekeeping function 201may be embedded in either a single-directional processor (i.e., a deviceor component having only input from the receiver and having only outputto a downstream processor) or a bi-directional processor, so long as thegate keeping module is restricted to only a single-directional, outboundtransmission. The single-directional feature, if not enforced by thedata input/output ports themselves, may be enforced by, for example,software stored in a read-only memory (ROM) and executed by a processorin the gate keeping module 201.

In the illustrated embodiment, the preprocessor and/or gate keepingmodule 201 relays and protects speech or other video or audio datareceived by the receiver 200 before transmitting it to the primaryprocessor and/or wireless input/output communications component 202,which transmits the speech data to the cloud or other remote server 203.

The primary processor 202 may encrypt the speech data or otherwiseensure security of the data transmission channel prior to transmission.Alternatively, the encryption may occur at the preprocessor level 201;or both, for a multilayer encryption feature.

The system/component/method may be integrated into various types ofelectronic devices, such as (but not limited to): mobile phones,tablets, laptops, computers, smart watches, televisions, lighting, mediaplayers (e.g., a DVD player, a Blu-Ray player, iPod, etc.), homesecurity systems, smart home devices (such as smart thermostats, smartrefrigerators, smart locks/doorbells, etc.). A personal of ordinaryskill in the art would be able to apply this invention to a number ofother scenarios, applications and methods of integrating an embodimentthat would provide added value to the user, device maker, content(and/or advertising) delivery provider, or a combination thereof.

In some embodiments, an integrated gate keeping module without externaldata inputs can be used to protect video or other types of data feedsthat a user might find sensitive and wish to keep secure and private.

In some embodiments, the device may include one or more light emittingdiodes (LEDs), whose lighted/unlighted status, color, or pattern ofblinking allows the user to visually ascertain whether the alwayslistening mode is on or off. Other visual or auditory effects may beused to indicate the always listening status, including, by way ofexample, a symbol, icon, or flashing icon on a screen or display of adevice, an occasional beep or prerecorded sound to remind the user thatthe always listening mode is engaged, or any other way of alerting orreminding a user via that user's sensory input that recording isoccurring.

While a speaker for device output to the user is preferred, in someembodiments, the device might not include a speaker for output, whichmay instead be provided by one or more of lights, vibrations, a videoscreen, or other visual indicator. Alternatively, the device may be bothcompletely silent and unchanging in visual appearance, exclusivelyperforming data transmissions and updates in the background withoutfeedback to the user.

In some embodiments, the device may incorporate one or more sensors inaddition to a microphone or camera, including (but not limited to) avibration sensor (such as a seismograph), global positioning system(GPS), accelerometer or gyroscope for determining orientation,thermometer, humidity sensor, etc. The additional sensor(s) may be usedto determine possible user intent even without an utterance or gesture,such as, for example, detecting the vibration of a fallen user, anunsafe temperature in a living area, or other emergency situations.

The “always listening” mode, where and when the capability is enabled bythe user, the device and/or its offsite functions (e.g., cloudcomputing, logic, Natural Language Processor, or artificialintelligence) may listen/receive/record, process, record useful data andascertaining appropriate times to respond and/or provide assistivedetails. For example, if a user elects to have “always listening” on,the device may be able to provide a number of useful services based onaudio input:

-   -   If a user verbally schedules an appointment (with another user        physically present or via telephone), the device may add the        appointment to a software calendar associated with the user.    -   If a user conversationally inquires to a second user, “Who is        that actor?” while watching a movie, the device may attempt to        determine the movie and scene being watched, check a data        repository of information about the movie, and respond with a        best guess/estimate of the identity of the actor.    -   If a user speaks to a secondary user or household member to        “remind them” of an upcoming event or assigned task, the device        may respond appropriately by adding a reminder regarding the        event or task to their digital or cloud notes, or adding a        mobile phone alert for that secondary user.    -   If a user converses with another user or household member on        where to go or what to have for dinner, the device may respond        with suggestions of nearby restaurants that have paid to        advertise, have promotions, etc.;    -   If a user asks how far a suggested restaurant is, the device may        determine the user's location (via a GPS unit in the device,        address from the user's profile, or another means of estimation        such as cell tower triangulation) and respond with approximate        distance from the user to the restaurant.    -   If a user says the restaurant is too far (to the device or to        another user), the device may inquire if there is a time or        distance parameter the user would like to stay within.    -   If users discuss and pause for a period of time after the last        time or distance conversation concluded, the device may make an        alternative suggestion within any provided parameters or        parameters received or determined from the users' discussion.    -   If a user(s) discuss and pause for a period of time after a type        of food the user(s) would like, the device may make a suggestion        within the parameters of the user(s) discussion or instructions.    -   If a user(s) discuss and pause after a period of time a movie        he/she/they would like to see, the device may provide        information on show times, locations, distance or a combination        of    -   If a user conversationally describes the environmental        conditions as being uncomfortable, the device may connect to one        or more thermostats, cooling systems, heating systems, fans, or        other external environment control devices, transmitting an        electronic command to the apparatus' to modify the settings to a        more desirable level. Similarly, if a user were to say, “It's        too bright in here,” the device might transmit a signal to        motorized curtains to close or close slightly, or transmit a        signal to a dimmer switch to dim the lights to a lower setting.    -   If a user describes symptoms of illness, the device may suggest        methods of treatment, automatically update a user's medical        record for consultation during a future medical appointment,        and/or interject, recommending seeking immediate medical        attention.    -   The user may preprogram the system and/or device to recognize        specific “safety” and “emergency-send help” code words or        gestures to enhance the security of the user. For example, a        code word such as “blue elephant” may be used as an “all-safe”        word/phrase (and may be verified with Voice ID) upon entry of a        dwelling equipped with an armed security system. Alternatively,        a user may configure a specific phrase or gesture to indicate        “User under duress—send help!” If an intruder subsequently        coerces a user to deactivate a security system, uttering the        phrase may cause the security system to enter a false disarm        state while alerting the authorities. A third phrase or gesture        may be used to immediately trigger the security system, as a        “panic” command while the user attempts to escape or hide.

The audio processing functionality may additionally be configured towarn a user of potential spurious or malicious input. For example, if auser may be listening to audio on the radio or streaming via web thatcomprises a hidden message at a frequency above or below normal humanhearing ranges (approximately 20 Hz-40 kHz). Rather than act upon audiorecorded by the microphone, a device may be configured to insteadaudibly or otherwise warn the user that it is perceiving an attempt toissue inaudible commands, and may offer to enter a more secure mode thatdisables one or more command types, temporarily disable audio input tothe device, or temporarily disable audio output by whatever device isgenerating the audio. Similarly, the system may be trained to recognizevoices of a number of members of a household, and determine that anreceived verbal command either came from a recorded voice incurrently-playing audio entertainment, or from a visitor in a householdwho is not authorized to issue commands to the device. The system mayask for confirmation or refuse to act upon input that cannot beconfirmed as originating from an authorized or normal user of thedevice.

Similarly, a system comprising a camera may be able to provide a numberof useful functions based exclusively on video data or on a combinationof audio and video data.

-   -   If a user is unable or unwilling to speak (e.g., the user is        deaf, is mute, is eating, is in a loud environment and does not        want to shout over the sound, etc.), the user may still enjoy        the safety and helpfulness of a personal assistant device        through custom or language based gesture communications with the        device. The system may be configured to recognize        microexpressions (such as a smile, frown, gasp, pursed lips,        flared nostrils, movement of eyebrows, movement of eyelids,        movement of tongue, movement of cheeks, etc.) as well as        macroexpressions (waving hands, sets of one or more raised        fingers, traditional communication in American Sign Language or        other sign languages, etc.). Micro- and macroexpressions can be        combined with ascertained information on the volume or content        of speech to determine a likely user mood or intent. Information        gleaned from these determinations of mood or intent may be used        to update a user profile (such as remembering that a user likes        a sports team if the user cheers when the team wins, or        remembering that a user does not like a food if the user        grimaces after eating it).    -   The system may additionally be trained to “read lips” or other        user intents expressed through micro- or macroexpressions        through processing of video data, even when audio data is        unavailable or unintelligible. Spoken words may be converted to        a query or command and acted upon by the system through analysis        of the video data alone, or by supplementing available audio        data with video data to read the lips of a speaker.    -   If user were to fall to the floor and/or emit a cry of pain or        discomfort, the system may inquire as to the well-being of the        user, contact a third party such as a family member or friend,        or contact an emergency service to direct medical aid to the        user. If a user is unresponsive after a fall or injury, the        system (if permitted by the user in advance within the systems'        settings) may override and access additional video feeds to        ascertain the state of the user, and/or forward the video feeds        to the third party or emergency service. The system may        immediately escalate the situation based on characteristics of a        fall, such as falling down stairs or from a ladder, instead of        merely falling from a standing position or out of bed. The        system may also be able to use video data to detect blood,        likely broken bones, or other signs of injury in order to        determine a likelihood or severity of injury.    -   The system may build up a model of the locations of a number of        objects in a location through the use of a camera (or        triangulate precise locations via multiple cameras), and may use        the information to assist a user. For example, if a user is        walking around at night, the system may determine that an object        is in the user's path which is normally not in that location,        and audibly warn “You are about to run into a misplaced chair!”        to help the user avoid stubbing a toe or tripping in the        darkness. Similarly, the system might track the user's location        himself, and warn the user that the user is walking on a        different path than usual and may collide with a wall or        furniture.    -   The system may also be able to generate a warning that a theft        may have occurred by determining that one or more objects, such        as jewelry, electronics, paintings, furniture, etc. are not in a        location typical for the model. The determination of a possible        theft may also be based on facial recognition and the        determination that objects have disappeared after an unfamiliar        face was present, or proactively generated based on the presence        of an unfamiliar face when a resident family is absent, even if        no other objects have yet moved.    -   The system may determine, using object recognition, that a        dangerous or undesirable situation is occurring. For example, a        child may be determined to be holding a knife, firearm, other        sharp or explosive object, a choking hazard, an expensive and        fragile item, or other object to which the child should not have        access. In response, an alert may be generated and sent to a        parent or other caretaker of the child. Automatic detection of        other undesirable or unsafe situations, such as a teenager        possessing drug paraphernalia, or an adult whose movements        indicate that he may be under the influence of alcohol while        holding car keys, may generate alerts to an appropriate        recipient who can act to address the situation.    -   The system may determine a final intent of an ongoing user        action and offer to contact help if the action is taking a        length of time determined to be anomalous for the action type.        For example, a person determined to be working with tools in a        bathroom or under a sink may be prompted with contact        information for a local plumber after one hour has elapsed. A        person holding a hammer, wrench, screwdriver, or other hand tool        in a living room or bedroom may be prompted with contact        information for a local handyman or carpenter after a        predetermined period of time has elapsed. A person who is in        proximity to an automobile for a period of time without getting        into the automobile and leaving may be prompted with contact        information for a mechanic, towing service, or other auto        service company.    -   The system may also provide help during an ongoing process. For        example, the activities of a person in a kitchen may be tracked        as they cook a recipe, so that if they pause for a period of        time, they are automatically audibly prompted with the next step        of the recipe without having to consult the cookbook or website        whose recipe they are using. The current step of the recipe can        be determined by cross-indexing video recognition of the user's        actions with the user's search history or the determination of a        page of the cookbook that the user previously consulted. In        another embodiment, a teacher of a class or a parent of multiple        children might instruct a group of pupils/children to undertake        a particular task or craft project. The system may track the        current actions of each person and be ready to interject with        help or notify the teacher/parent if the person expresses        confusion, frustration, or appears to be undertaking actions        inconsistent with a description of the activity that may be        entered or preconfigured into the system.    -   The system may use observed user actions to generate reminders,        update shopping lists, or add items to an online shopping cart.        For example, if a user pours a bowl of cereal and then fails to        find milk and expresses surprise, sadness, or disgust, milk can        automatically be added to a shopping list, or an automatic        reminder may be generated and transmitted to the user's mobile        device when the user is in a grocery store, or a message may be        transmitted to another member of the household who is currently        outside the house and may buy the milk on the way back. Similar        determinations may be made that the household needs to buy a        light bulb (in response to a video determination of reduced        lighting and/or overhearing a user say that they cannot find a        lightbulb), diapers or other baby supplies, or any other good        that may be regularly bought and depleted by a household.

A user may be given fine-grained control over how video data received bythe device or system may be provided to third parties. For example, thegatekeeping module may be configured to always blur the entire body, orface, or parts of the body except the face, or any exposed skin, beforeallowing external transmission. Particular parts of the body, such ashands, feet, and/or face may be preserved or isolated for transmission,so that other background information is not transmitted. Backgroundinformation such as the room, furniture, video screens, documents, orother objects may be specifically excluded or included in any videotransmitted external to a device.

Embodiments controlling the continuous transmission of video content maybe useful in an industrial/commercial scenario—for example, where theftmay occur or safety/liability is a concern. In a warehouse implementingan always listening or watching system, the data feed (audio, video orboth) may be continuously processed, deciphered and/or analyzed toformulate, retrieve, compute, access, assess or a combination thereof,for a best suitable response to the data such as providing visualfeedback through a display or audio feedback through speakers to aidworkers, enhance safety or detect unsafe behavior, or alert store orofficial authorities to break-ins, shoplifting, or theft. Additionally,the system may save received data regarding infractions for trainingpurposes.

Alternatively, the received data used in monitoring infractions may befurther used for determining non-moving violations such as illegalparking or exceeding a time limit for parking meters, etc.

A response by the system and method may be passive or active. Forexample, a passive response would be, in response to an overheardconversation, making an appointment to the user(s) calendar(s); anactive response would be providing restaurant suggestions to anoverheard conversation of where to go for dinner or order delivery.

Some embodiments may contain one or more displays to provide video ondemand or assistance delivery, such as, for example, visual how-to's,advertisements, promotions, coupons or similar video content expected tointerest or inform a user of the device.

In some embodiments, other data about a user that comes up inconversation, such as a user's favorite color, favorable or unfavorableopinion on a topic, or other commentary that comes up in conversation,debates, or arguments may be recognized by a processor as not a query ora request to which assistance may be provided. However, the informationmay nonetheless be archived in a database to allow for better assistancein the future, for example, in response to a request to purchase an itemonline, purchasing the item in the user's favorite color, or suggestinga book or TV show to watch based on previous commentary by the user. Thesystem may, in some embodiments, learn and store one or more of a user'sage, gender, household demographic, products owned, and otherinformation relevant to a user's tastes. Data about users in a householdmay be anonymized to prevent identification and respect privacy of theusers in the case of data breach or other unauthorized access to thedata stores.

Audible data collected from a user through an always listening deviceand the response of assistance might not be restricted to householdsonly. For example, in an industrial or commercial application, audibledata collected through an always listening device, may be deciphered andanalyzed. If one employee asks another, “Do we have a certain item instock?”, the system may interject in the conversation and audiblyrespond, “Yes, 123 units are available in the New Jersey warehouse and234 units are available in the New York warehouse” or “No, but there isan expected shipment due in July 7th.” By building up a model andlearning the context of conversations held in a particular device'slocation, responses to ordinary questions can be accurately provided.

FIG. 7 depicts, in simplified form, another embodiment of an“always-listening” device.

In some embodiments, the preprocessor and/or gate keeping module 301 canbe integrated together with the primary processor 306 and wireless I/Ocommunication module 302 so long as the preprocessor and/or gate keepingmodule 301 is restricted to have only single-direction, outboundtransmission capability. In this embodiment, the primary processorwireless transmitter/receiver 302 transmits the speech data to cloud orother remote server device 303 and receives a response in turn that maybe relayed in the form of audible feedback through one or morespeaker(s) 304. Power from power source 305 may still, in someembodiments, only pass to microphone 300 via the integrated gatekeepingmodule/processor/communication module, while in other embodiments, themicrophone 300 may have a direct power link that is not severable.

FIG. 8 depicts, in simplified form, an alternative embodiment of an“always listening”-capable electronic device.

In some embodiments, a first preprocessor and/or gate keeping module 401and a second preprocessor and/or gate keeping module 402 may each bepassively “always listening” for its own unique wake up phrase. Forexample, the preprocessor and/or gate keeping module 401 may have thewake up phrase be the word “Alex,” whereas the primary processor wake upword may be “Alexa™” (per usual for an Amazon Echo®).

In other embodiments, the wake up phrase may be a particular word, aparticular series of words, a hand gesture, a facial gesture, a bodilymovement, a tone, a whistle, a pattern of sounds, a pattern ofmovements, a pattern of taps, or any combination of the above. The wakeup phrase may be preconfigured to the device, or may be set by a user tothe user's taste.

In one example, if a user says “Alex,” followed by a single string suchas “allow always listening,” the system may respond by allowingcontinuous listening and transmitting of speech data. Similarly, “Alex”followed by “stop listening” may discontinue listening and transmittingof speech data.

After fulfilling the “stop listening” command, the system may return toa passive mode. The preprocessor and/or gate keeping module may also beintegrated or kept independent of a second or primary processor.Further, the wireless I/O or transmitter/receiver may be integrated orkept independent of a processor.

In some embodiments, the first gate keeping module 401 may have controlover or communicate with the second gate keeping module 402. Forexample, if gatekeeping module 401 is added to an existing system thatis not fully trusted, a user may be able to use a first wake up phraseto control whether the existing system is able to listen at all, andprevent the existing system from reporting recorded data to a centralserver.

FIG. 9 depicts an illustrative flow chart of an improved method ofprocessing a second, distinct wake up word.

For example, in the case of an Amazon Echo®, a second wake up word, suchas “Alex,” could be used in addition to the default “Alexa™.” Whilelistening (Step 900), if the first default wake up word is used (Step901), the standard device behavior is followed.

The next audible phrase after the received wake up word is received(Step 903) and transmitted to the cloud or other remote server (Step904) for natural language processing (NLP) and a determination by theremote server of the best direct or indirect response to each verbalinput or gesture by the user (Step 905). If the proper response isinformation, speech, music, etc., it is output through the device'sspeaker(s); if the proper response is an action (e.g., downloading afile, communicating with another device's API, etc.), that action isperformed (Step 906). The device then continues to listen again for thefirst wake up word or gesture (Step 900), process any additional verbalinput, and deliver any subsequent assistance to the user.

If, instead, the second wake up word is received (Step 902), the “alwayslistening” mode is engaged (Step 907). The always listening cycle (Steps908-911) mirrors the conventional series of steps (receive user input,transmit to cloud, determine best response, and effect the response),but in a constant cycle, or even a constant series of multipleconcurrent cycles (i.e., receiving a second user input and transmittingit even before the server responds based on the first input), instead ofreturning to waiting, dormant, for a wake up word, phrase, or gesture.Multiple, asynchronous series of the steps (Steps 908-911) may be inprocessing simultaneously, and responses may be prioritized in real timebased on perceived user need. For example, if a user were to say “Iwonder where the nearest Mexican restaurant is. Actually . . . I think Iwant Chinese instead,” the system might have begun processing therequest to determine a Mexican restaurant location, but then receivedthe second statement before making the determination. In response toreceiving the second statement, the Chinese restaurant query may beprocessed and output, in lieu of the Mexican restaurant.

Responses may be prioritized based on any one or more of perceivedindicators of urgency (e.g., tone, volume, vocabulary used to indicateimportance or danger), emergency or safety concerns, content and subjectrelevancy, determination of the user's current intent or interest,determining that a user no longer needs assistance, ranking users in aset of users (such as responding first to a device's owner, or to adultsover children), subject relevancy, or highest bidder of advertisement.Thus, after the “always listening” mode is engaged by receipt of thesecond wake up word, the system can become a passive or activeparticipant in the conversation, interjecting to query or provideinformation, or passively updating calendars or other data stores inresponse to what is overheard.

FIG. 10 depicts an alternative flowchart of program logic for additionalfeatures of an always-listening device.

As in FIG. 9, the system listens for input (Step 1000); if a firstwake-up phrase is used, the normal, single-query process may be followed(Steps 903-906), and if a second wake-up phrase is used, in conjunctionwith a command to engage always-listening mode, the always-listeningmode with continuous response to input may be triggered (Steps 908-911).This feature may prevent users from accidentally triggeringalways-listening mode merely by saying the second wake-up phrase,without confirming their intent, and unwittingly having the device belistening and/or performing actions in the background.

In addition, the always-listening mode should always be listening for aninstruction of the user to end the always-listening mode (Step 1005), inwhich case the system may return to its normal function of listening(Step 1000) in order to enter either a single-query cycle or amulti-query, always listening cycle.

In some embodiments, the system may listen for an additional command todisable one or more parts of the system functionality (Step 1002). Thefunctionality involved may include disabling a microphone or otherreceiver of the device, disabling a gatekeeping module (to allow data orpower to be transferred through the gatekeeping module unhindered),disabling one processor of a plurality of processors, or disabling acommunication module for communicating with the cloud or with localdevices. The system can then listen for a command (Step 1003) tore-enable the disabled functionality, which, if received (Step 1004)returns the system to its previous function.

The disable functionality/enable functionality cycle (Steps 1002-1004)may instead be included within the flow of either the single-query cycle(for example, between Steps 903 and 904) or multi-query always-listeningmode (for example, between Steps 908 and 909).

For example, while in always-listening mode, a command could be issuedto turn off one microphone or other receiver used by a multi-receiverdevice, while leaving another microphone or receiver functional, if, forexample, a user does not trust an underlying digital personal assistantreceiving data from the first receiver, but does trust a gatekeepingmodule added to the digital personal assistant and controlled by inputfrom a second receiver.

In contrast to the embodiments described above, integrating agatekeeping module or chip into a same device that provides assistiveresponse to a user, the functionalities described above (Steps1002-1004) regarding providing a means for one microphone or otherreceiver in a multi-receiver system to control the input and output ofother receivers and subsystems of the same system may be implementedwithin decoupled devices that are introduced into an existingalways-listening system to provide additional functionalities notpresent in the system before addition of the decoupled devices, withoutmodifying the software or hardware of devices of the always-listeningsystem directly.

FIG. 11 depicts a decoupled gatekeeping accessory that may be attachedto an existing listening device 1150 to provide secure, always-listeningfunctionality.

Existing listening device 1150 may be, for example, a mobile phonehaving a microphone and assistive voice search built in to the phone'soperating system, or may be a commercially available and pre-configureddigital assistant such as Amazon's Echo or Google's Home devices.

Accessory 1100 is configured to plug into an external port of existingdevice 1150 and may include, for example, the gatekeeping module 201 andmicrophone 200 described previously, as well as an input/output couplinglink 1105 configured to fit into the external port.

In a preferred embodiment, the input/output coupling link 1105 may be acable appropriate for plugging into a 3.5 mm jack (the traditional“headphone” jack) of device 1150. In other embodiments, the input/outputcoupling link 1105 may be a cable that uses another connection protocolor cable termination type, such as (but not limited to) USB (UniversalSerial Bus, types A, B, C, “mini,” or “micro”), HDMI (High-DefinitionMultimedia Interface), VGA, DVI (Digital Visual Interface), Firewire, orother forms of data bus, physical cable connection type, and/orassociated protocols for transmission and reception of data. In stillother embodiments, the input/output coupling link 1105 may involve awireless transmitter and establish a connection wirelessly, such asthrough a Bluetooth, WiFi, NFC (Near Field Communication), or otherconnection. Accessory 1100 may comprise multiple input/output couplinglinks 1105 to allow the accessory to function with multiple differenttypes of existing listening device 1150. Similarly, it may allow removaland insertion of new the input/output coupling links 1105 to work withnewly developed existing listening devices 1150 via external port typesor communication protocols not yet invented, but for which a connectionis established either by a software update to a wireless transmitter ora cable with a new external link type at one end and a familiar externallink type of accessory 1100 at the other end.

Existing device 1150 may have one or more system APIs that allow anelectronic communication to directly disable (e.g., issue a command to apersonal digital assistant application itself to pause execution, orterminate, or stop listening temporarily or until a command is issued tore-enable, etc.) or indirectly disable (e.g., at the operating systemlevel, turn off a microphone or other receiver of device 1150 or disableapp permissions to access the microphone, etc.) listening functionalityof device 1150. Similarly, system APIs may permit re-enabling of systemor application features, or allow configuration data or other rules foroperation of the listening functionality of device 1150 to be modified.

In response to a user command to stop listening, perceived by microphone200, gatekeeping module 201 may cause an API command to be transmittedvia input/output coupling link 1105 for reception by the operatingsystem of device 1150 or by software of device 1150 that is providingpersonal digital assistant capability, for processing according to theAPI to terminate (or make impossible) further listening by device 1150.Consequently, security is enforced by accessory 1100, as an API commandto re-enable listening will not be sent by the listening software ofdevice 1150 itself, only by accessory 1100, which remains linked by link1105 and which will transmit the API command to re-enable only if theuser interacts with accessory 1100 and directly or implicitly requestsre-enabling of the functionality of device 1150.

Users may distrust device 1150 to refuse to re-enable itself in secretor to have an API that is unhackable by another agent or device sendingAPI calls to device 1150. Accordingly, the use of decoupled devices thatplace no trust in device 1150, as described below, may be preferable.

FIGS. 12A, 12B, and 12C depict a decoupled soundproofing cap orotherwise insulating barrier for assisting in providing securealways-listening functionality.

Cap 1200 (which, like accessory 1100, at least includes a receiver 200and gatekeeping module 201) may be affixed to the independent,always-listening device 1150 such that cap 1200 obscures or interfereswith a second receiver 1250 of device 1150.

In one embodiment (depicted in FIG. 12A), cap 1200 may cover a minimalportion of the outer surface of device 1150, as required to obscure orblock second receiver 1250 alone, without affecting the rest of thedevice. For example, as pictured, a camera 1250 of mobile phone 1150 maybe covered by cap 1200 without significantly interfering in otherfunctions of mobile phone 1150. In another embodiment (depicted in FIG.12B), cap 1200 may be a sleeve or cover that surrounds a substantialportion of device 1150, while still leaving at least some surfaces ofdevice 1150 exposed. For example, as displayed in FIG. 12B, a sleeve1200 fits over the entire top of a mobile phone 1150. In a thirdembodiment (depicted in FIG. 12C), cap 1200 may be a container thatcompletely encloses device 1150.

In a preferred embodiment, cap 1200 completely insulates receiver 1250of device 1150 from receiving at least one form of user input. Theinsulation may take the form of creating a soundproof barrier around amicrophone, or an opaque barrier over a camera or other optical sensor,a Faraday cage over a wireless receiver to prevent transmission ofsignals, etc. Soundproofing may take the form, by way of non-limitingexample, of direct blocking with a soundproof material, through acousticcancelling (generating a waveform that destructively interferes withincoming sound) or imperfectly through interfering with incoming soundvia a louder noise, white noise, or other random or pseudo-random noise.

Receiver 200 of cap 1200 may be of the same type as that of blockedreceiver 1250, such as including one or more omnidirectional microphoneswhile blocking sound to a microphone, or including a camera whileblocking light from being received by a camera or optical sensor.Alternatively, receiver 200 may be of a different type, such that cap1200 is used to simultaneously block a camera while allowing a userverbal control via microphone 200 and gatekeeping module 201, or block amicrophone while allowing a user gesture control via camera 200 andgatekeeping module 201.

Cap 1200 may have an output system that sits within cap 1200 and thatcorresponds to the input that is blocked from perception by receiver1250. The output system may thus be used to selectively retransmitsound, video, or other data received by receiver 200 to receiver 1250within cap 200.

For example, cap 1200 might have three modes of operation: allowingreceiver 1250 to receive no data (a default state achieved by the cap);allowing receiver 1250 to receive all data (for example, by receivingaudio data with microphone 200 and then recreating the received data viaa speaker in the cap); or passing data through to receiver 1250 onlywhen preceded by a separate wakeup word/phrase/gesture/input from oneused by device 1150. If the second wakeup input is provided, data may bepassed through for a period of time (e.g., until the next user commandis performed by device 1150, until one minute has elapsed, until someother predetermined period of time has passed, etc.) or based on anothercriterion (e.g., pass through only verbal input discussing a certaintopic, pass through only verbal input by a particular speaker, passthrough only audio data when a person is not speaking, etc.) to allow auser greater control over what data device 1150 has access to.

Cap 1200 may also have a power socket into which a power cord of device1150 plugs in, or may have its own internal cable (for example, a USBcable) that plugs into device 1150 to provide power. Accordingly,gatekeeping module 201 may use these or other means (including, but notlimited to cutting off a power supply, actuating a power button orswitch, or engaging with an API of the device) to depower or repower thedevice.

Gatekeeping module 201 of cap 1200 may have an independent NLP processoror other processor capable of providing assistive responses to userinput without needing to transmit to a remote server 203 for analysisand information provision (e.g., for controlling smart appliances in ahouse, or for storing and retrieving reminders). Gatekeeping module 201may also be configured to transmit to a server computing devicedifferent from remote server 203 for analysis, fulfillment of userintents expressed as input, or updating of stored data. For example, ifdevice 1150 is programmed to transmit to a server operated by aparticular private vendor, cap 1200 may be used to redirect input to aserver operated by an alternate vendor or by the user himself, in orderto protect the privacy of some or all user input data.

Cap 1200 may comprise all or some of the functionality of accessory1100, including link 1105, so that it not only blocks or provides inputto a receiver of device 1150, but can also transmit data directly todevice 1150. Accordingly, it is possible for cap 1200 to use speakers orscreens of device 1150 or associated with device 1150 (e.g., remotespeakers or a screen to which device 1150 is casting content) to pass onreceived information via link 1105 or to play advertisements via link1105, so that cap 1200 may have no need for speakers or screens of itsown. Cap 1200 may also be used to retrieve and display (alone, or viadevice 1150) advertisement or other content from a remote server,playing those ads in addition to or in place of ads provided by device1150.

FIG. 13 depicts a system including a decoupled network device forproviding secure, always-listening functionality while selectivelydetouring a portion of a user's generated network traffic to analternate destination.

An always listening device 1150 may be configured to only connect toremote cloud-based server 203 via a network path that necessarily passesthrough a particular access point 1300, such as—by way of example only—awireless router, a mobile computing device providing a hotspot withtethering, a wireless signal repeater, a set top box, a desktop computeror other computing device, a network firewall, a networkswitcher/multiplexer/demuxer, or a cable modem, telephone modem, orsatellite or other modem.

Access point 1300 may, based on one or more received commands by a userof device 1150 or rules for interpreting input data received by theuser, either prevent the passage of some or all data transmitted byalways listening device 1150 from reaching an external network, oralternatively redirect a subset of data transmitted by device 1150 to aseparate server 1350 instead of to cloud computing device 203.

For example, a user may configure the device 1150 to connect to theInternet only through a hotspot provided by a mobile phone containingthe gatekeeping module 201 within. The user may then download andinstall a mobile app that uses the gatekeeping module 201 to allow theuser to give a voice command to his phone to disable or re-enablefunctionality of device 1150, which cannot transmit or receive data fromexternal networks without the data passing through gatekeeping module201.

Access point 1300 may contact an advertisement server 1350 to retrievecontextual or other advertisements and provide them to a user of device1150. Alternatively, access point 1300 may intercept and delete orreplace advertisements that would have been delivered to device 1150from remote server 203 or another server and displayed by device 1150.Access point 1300 may also be used to select another vendor for servicessuch as text search, instead of a default vendor.

Access point 1300 may be used to implement time-based controls over thetransmission of user input data by device 1150. For example, accesspoint 1300 may be used to prevent transmission of user input data from acertain time each night to a certain time each morning, for the durationof a social event like a party, while a user is engaging in a particularactivity or consuming particular content, or for a predefined oruser-defined period of time after the user issues a command to stoplistening.

Access point 1300 may also be used to implement filtering of particularuser input data. For example, access point 1300 may be used to filterout all data that does not comprise intentional user commands, all datathat does comprise an intentional user command, all data representinginput from a particular user, all data representing input from a personother than a particular user, all data concerning a particular topic,all data that does not concern a particular topic, all data that wouldbe handled by a particular application (a calendar app, a web browser, atext messaging app, etc.), all data except that which would be handledby a particular application, etc.

As a result of the foregoing decoupled devices, a user can be providedwith additional control over who has access to user actions and dataperceived by device 1150, and without having to trust the makers ofdevice 1150 or programmers of software being executed thereon.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

The present invention may be a system, a method, and/or a computerprogram product at any possible technical detail level of integration.The computer program product may include a computer readable storagemedium (or media) having computer readable program instructions thereonfor causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, configuration data for integrated circuitry, oreither source code or object code written in any combination of one ormore programming languages, including an object oriented programminglanguage such as Smalltalk, C++, or the like, and procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The computer readable program instructions may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a local area network(LAN) or a wide area network (WAN), or the connection may be made to anexternal computer (for example, through the Internet using an InternetService Provider). In some embodiments, electronic circuitry including,for example, programmable logic circuitry, field-programmable gatearrays (FPGA), or programmable logic arrays (PLA) may execute thecomputer readable program instructions by utilizing state information ofthe computer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the blocks may occur out of theorder noted in the Figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

What is claimed:
 1. An always-listening-capable first computing devicedecoupled from a second computing device having a communication moduleand in a same computing network, comprising: a first electronic sensor,configured to record user input comprising an utterance or gesture; agate-keeping module implemented by a processor, wherein all datareceived by the communications module based on data from the firstelectronic sensor passes through the gate-keeping module while agatekeeping function is disabled, wherein no data based on data from thefirst electronic sensor passes through the communications module whilethe gatekeeping function is enabled, wherein all data input to thegate-keeping module is received via an exclusive input lead from thefirst electronic sensor, and wherein all data output from thegate-keeping module is transmitted via an exclusive output lead to acomponent other than the first electronic sensor; and non-transitorymemory storing instructions that, when executed by a processor, causesthe processor to: determine that user input recorded by the firstelectronic sensor comprises a first input content; and retrieve aresponse to the user input from a first server different from a secondserver that the second computing device would have retrieved data frombut for the first computing device preventing an electroniccommunication being sent from the second computing device to the secondserver.
 2. The first computing device of claim 1, wherein the computingdevice is a wireless router.
 3. The first computing device of claim 1,wherein the computing device provides a wireless hotspot.
 4. The firstcomputing device of claim 1, wherein the computing device is a networkfirewall.
 5. The first computing device of claim 1, wherein a uniquenetwork path from the second computing device to the second serverpasses through the first computing device.
 6. The first computing deviceof claim 1, wherein the response from the first server comprises one ormore advertisements targeted to a user of the first computing device. 7.The first computing device of claim 1, wherein the first computingdevice is configured to selectively divert communications from thesecond computing device to the first server based on a current time. 8.The first computing device of claim 1, wherein the first computingdevice is configured to selectively divert communications from thesecond computing device to the first server for a finite window of time.9. The first computing device of claim 1, wherein the first computingdevice is configured to selectively divert communications from thesecond computing device to the first server based on a topic of userinput perceived by the first computing device.
 10. The first computingdevice of claim 1, wherein the first computing device is configured toselectively divert communications from the second computing device tothe first server based on an application at the second server that wasan intended recipient of user input.
 11. The first computing device ofclaim 1, wherein the first computing device is configured to selectivelydivert communications from the second computing device to the firstserver based on an identity of a user providing user input.
 12. A methodof providing information security in a second computing device having acommunication module, via an always-listening-capable first computingdevice decoupled from the second computing device and in a samecomputing network, comprising: determining that user input comprising anutterance or gesture and recorded by a first electronic sensor of thefirst computing device comprises a first input content; and retrieving aresponse to the user input from a first server different from a secondserver that the second computing device would have retrieved data frombut for the first computing device preventing an electroniccommunication being sent from the second computing device to the secondserver; wherein the first computing device comprises a gate-keepingmodule implemented by a processor, wherein all data received by thecommunications module based on data from the first electronic sensorpasses through the gate-keeping module while a gatekeeping function isdisabled, wherein no data based on data from the first electronic sensorpasses through the communications module while the gatekeeping functionis enabled, wherein all data input to the gate-keeping module isreceived via an exclusive input lead from the first electronic sensor,and wherein all data output from the gate-keeping module is transmittedvia an exclusive output lead to a component other than the firstelectronic sensor.
 13. The method of claim 12, wherein the computingdevice provides a wireless hotspot.
 14. The method of claim 12, whereina unique network path from the second computing device to the secondserver passes through the first computing device.
 15. The method ofclaim 12, wherein the response from the first server comprises one ormore advertisements targeted to a user of the first computing device.16. The method of claim 12, wherein the first computing device isconfigured to selectively divert communications from the secondcomputing device to the first server based on a current time.
 17. Themethod of claim 12, wherein the first computing device is configured toselectively divert communications from the second computing device tothe first server for a finite window of time.
 18. The method of claim12, wherein the first computing device is configured to selectivelydivert communications from the second computing device to the firstserver based on a topic of user input perceived by the first computingdevice.
 19. The method of claim 12, wherein the first computing deviceis configured to selectively divert communications from the secondcomputing device to the first server based on an application at thesecond server that was an intended recipient of user input.
 20. Themethod of claim 12, wherein the first computing device is configured toselectively divert communications from the second computing device tothe first server based on an identity of a user providing user input.